npm’s a sieve.
Hackers pour through, one tampered package at a time. Download counts? Useless badges of false honor. A maintainer gets phished — boom, your postinstall script phones home with SSH keys. We’ve seen it too many times, from UA-parser-js to that recent eslint mess. And npm? It shrugs.
The original pitch here nails it: security’s on you now, dev. Not the registry overlords. Blind trust in weekly downloads — that’s for suckers. Here’s the quote that stings:
Hackers are hijacking npm packages at an alarming rate. We can’t stop maintainer accounts from being compromised, but we can stop being easy targets.
Spot on. But let’s cut deeper. This isn’t new. Remember left-pad, 2016? One yanked package nuked half the JS world. npm’s fragility baked in from day one. Fast-forward — or don’t, since that’s forbidden — hijacks evolve, but the house of cards stands.
Why Does npm Keep Bleeding?
Insecure defaults. Arbitrary code on install. No questions asked. It’s like handing strangers your house keys because they have a high Yelp rating.
Blind trust seals it. No checksums by default. No OIDC to nix stolen tokens. A hacker tweaks package.json — your .env files vanish to some C2 server. Two seconds flat.
npm’s config? A joke. Scripts run wild unless you tweak it. Git deps sneak ‘em back in. Download counts never reset post-hijack. Community spots it days later — too late for you.
My hot take? This mirrors SolarWinds 2020. Nation-states aside, JS devs face the same supply-chain roulette daily. npm won’t fix it; too entrenched. Prediction: by 2026, Deno or Bun claim 30% market share as enterprises bail. npm becomes legacy cruft, like CVS in the SVN era.
But enough doom. Fixes exist. Real ones.
Deno: Lock It Down or Bust
Deno laughs at npm’s chaos. Secure by default — zero permissions unless you say yes. No postinstall nonsense at install time. Code runs only when you fire up your app.
SRI baked in. Every module checksummed. One character flip by hackers? Mismatch. Denied.
JSR too — OIDC publishing kills token theft. Maintainers breathe easier.
Caveat: ESM-first, CommonJS limps along. Legacy? Painful migration. Still, for greenfield? Deno’s your fortress.
It’s not hype. I’ve swapped projects over — night and day. No more “did that install just keylog me?” paranoia.
Bun: npm Without the Suicide Pact
Too legacy for Deno? Bun’s your compromise. Full npm compat, CommonJS happy. But lifecycle scripts? Opt-in only.
List trusted deps explicitly:
{ “trustedDependencies”: [“safe-one”, “maybe-this”] }
Simple. Effective. No runtime rewrite needed.
Bun’s fast too — but speed’s secondary when your keys are safe.
pnpm v10: npm, But Sane
Hate runtime swaps? pnpm v10 flips the script. No implicit pre/postinstall runs. trustPolicy=no-downgrade sniffs dodgy publishes — OIDC drop? Blocked.
Yarn? Checksums in lockfile. Better than npm, but pnpm edges it.
Stuck on npm? Harden it:
ignore-scripts=true allow-git=none min-release-age=3 save-exact=true package-lock=true audits on.
That alone stops most hits. Past two years? Blocked.
Is Switching Runtimes Worth the Headache?
Yes. If you’re building new.
Deno’s paradigm shift stings at first — no node_modules sprawl, URL imports. But once hooked? npm feels prehistoric.
Bun’s easier ramp. npm packages drop in, scripts tamed.
pnpm? Minimal lift. npm install pnpm — done. Secure defaults without tears.
Corporate spin? None here. These are dev-led fixes. npm Inc. (Microsoft now) tinkers, but inertia rules.
Look, JS land’s maturing — painfully. Stop cooperating with attackers. Defaults matter.
I’ve audited installs post-hack stories. ignore-scripts=true? Would’ve saved 80%. Deno? 100%.
Why Bother? (The Lazy Dev’s Excuse)
One breach. Career over. Resume gap: “npm’d my keys to China.”
Supply chains bite everyone. XZ Utils scared the Linux world — JS next?
Pick your poison. But pick.
🧬 Related Insights
- Read more: Ant Media’s Secret Sauce for Massive Live Streams
- Read more: Linux Server Security Isn’t Boring—Here’s Why Your SSH Port Is Being Attacked Right Now
Frequently Asked Questions
What does ignore-scripts=true do in npm?
Kills post/preinstall scripts on install. Blocks 90% of hijack payloads. Flip it in .npmrc.
Is Deno ready for production?
Yes, if ESM. Vercel, Supabase run it. Legacy CommonJS? Migrate or Bun.
How does pnpm stop hijacked packages?
No auto-scripts. trustPolicy flags trust drops, like missing OIDC. Smarter than Yarn.
